ITS Security Advisory: Notepad++ Privilege Escalation Vulnerability
University of Kentucky Information Technology Services (UK ITS) is alerting the campus community to a recently disclosed security vulnerability affecting Notepad++.
Notepad++ has confirmed a privilege escalation vulnerability, tracked as CVE-2025-49144, that impacts several versions of the application. The issue exists within the Notepad++ installer, where insecure executable search paths may allow an unprivileged local user to gain SYSTEM-level privileges on a Windows device.
While exploitation requires local access, the severity of this vulnerability requires immediate attention.
Who Is Affected
- Users running older versions of Notepad++ on Windows systems
- Systems where Notepad++ was installed using the vulnerable installer versions
Recommended Remediation
UK ITS strongly recommends the following actions for all users who have Notepad++ installed:
- Uninstall any and all versions of Notepad++ from your device.
- Download Notepad++ version 8.9.1, which includes the necessary security enhancement.
- Manually run the installer to complete the update.
Official Download:
https://notepad-plus-plus.org/downloads/v8.9.1/
Alternative Option
Users who do not require Notepad++ specific features may choose to:
- Uninstall Notepad++ entirely
- Use Windows Notepad as a secure alternative
Additional Information
Notepad++ has published full details about the incident, including technical context and mitigation steps, on their official website:
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Sign up for UK ITS news, alerts, and tech tips https://its.uky.edu/engage/uk-its-communications. You can also follow UK ITS on social media https://linktr.ee/its_uky and listen to all episodes of our podcast TechKnow TechKnow | Information Technology Services.